Doppel Named Official Partner of the New York Knicks
Partnership to Showcase Doppel to Knicks Widespread Audience Through In-Arena, Digital and Out-Of-Home Assets
Partnership to Showcase Doppel to Knicks Widespread Audience Through In-Arena, Digital and Out-Of-Home Assets
Why does social engineering keep working? Because it's cheap to launch and expensive to answer. Learn how to disrupt the attacker’s business model.

We keep treating social engineering as a human problem: a training gap, a careless click, a moment of bad judgment. It is really an economics problem. Over the last decade, the cost of running these attacks collapsed while the payoff held or grew, and the cheapest way into most companies stopped being a software exploit and became a conversation. Here is the attacker’s ledger, why their economics keep improving while yours keep getting worse, and where you can make the math stop working in their favor.
I have spent 25-plus years on the defending side of an arms race, and for most of that time the attacker’s side of the ledger was expensive. Breaking into a hardened network took skill, time, custom tooling, and a real chance of failure. I watched our side make that path harder every year: better patching, endpoint detection, multi-factor authentication, segmentation, zero-trust. We got very good at raising the cost of a technical intrusion. And the entire time, a second path stayed cheap, and we mostly left it alone. That path runs through people.
Social engineering does not win because attackers are uniquely clever or because employees are uniquely careless. It wins because it is the most cost-effective way into a modern company, and it gets cheaper every quarter. If you want to understand why these attacks keep coming, follow the money.
Picture the adversary as what they actually are: an operator running a business with unit economics. Four numbers decide whether that business is worth running. The cost per attempt. The conversion rate. The payout per success. And the cost of a failure. For most of the history of cybercrime, the cost per attempt was high enough, and the failure cost real enough, to keep the volume down.
That constraint is gone. When the cost of a failed attempt approaches zero, and a single success can pay out into seven figures, the conversion rate almost stops mattering. You can be wrong ninety-nine times out of a hundred and still run a wildly profitable operation. That is not a hacker’s mindset. That is a lottery-ticket business, and we handed the attacker a printing press for tickets.
Here is the part the industry does not like to sit with: The human path is the cheap path in large part because of how well we did the other job. Two decades of hardening the technical attack surface worked. It made exploits more expensive, more perishable, and less reliable. A rational economic actor, faced with an expensive front door and a cheap side door, does not admire the front door. They walk around to the side.
The front door of a modern enterprise is no longer a software exploit. It is a believable message for someone with access. We did not lose the technical-cost arms race. We won it, and the win pushed the adversary straight to the surface we had not priced at all.
Most of the AI commentary in this space is noise. AI writes cleaner phishing emails; the broken grammar is gone, the logo looks right. That is the least interesting thing AI did. What AI changed is the attacker’s cost of production.
The work that used to gate volume (i.e., researching a target, building a convincing persona, localizing the pretext into fluent language, writing and testing a dozen variants) used to take a skilled human hours. It now takes a model seconds, in any language, at any volume. A single convincing impersonation can stand up in minutes, target thousands of people, and disappear before anyone files a report. By some published estimates, the cost of producing a convincing lure has fallen on the order of 95 percent. The deception economy did not get more talented. It got industrialized. Industrialization is what turns a craft into a flood.
There is one more move that changed the economics, and it connects directly to the chain this series is built on. When the payload was a static file or a link, the attacker placed a bet and waited. The lure worked, or it did not. Once the payload becomes the conversation itself, the attacker can adjust in real time: answer the objection, build the rapport, soften or sharpen the ask as the target reacts.
That is the difference between a billboard and a salesperson. A billboard converts whoever happens to be susceptible. A salesperson works the specific person in front of them. Real-time adaptation raises conversion, and it does something else the attacker values just as much: a live conversation gives a static filter nothing to inspect. The adversary traded a low-conversion product for a high-conversion one and lowered their own detection cost in the same move. From the attacker’s ledger, that is close to a perfect product.
Now turn the ledger around. While the attacker’s cost per campaign fell, ours rose. A single coordinated operation does not arrive as a single event. It lands as a suspicious domain on one desk, a reported message on another, a takedown request on a third, an odd wire on a fourth, an account takeover on a fifth. Each fragment is labor: an alert to triage, an artifact to investigate, a ticket to open and close. Fragmented tooling turns one campaign into five investigations.
The attacker automated their side of this. We are still paying people to chase the symptoms one at a time. That is the asymmetry that actually matters. Not that the attack is sophisticated, but that it is cheap to launch and expensive to answer.
What actually moves these numbers? Training helps; it makes people better at spotting attacks, but better detection is not the same as less exposure. Asking an employee to out-detect an industrialized, AI-adapted, real-time deception is asking them to win a race we designed them to lose. When the 2025 Verizon DBIR clocks the median time to click a lure at 21 seconds, you are not looking at a control you can tune. You are looking at a reaction time you cannot beat. Treating the person as the last line of defense is not a strategy. It is a cost center the attacker is counting on.
You change the attacker’s economics the same way you changed it for technical intrusion. You raise their cost. The cheap, repeatable parts of their operation are the infrastructure they reuse: the lookalike domains, the staged personas, the recycled phone numbers, the cloned brand assets they stand up before a single message is sent. Find and dismantle that machinery early, before the lure goes out and again every time it reappears, and you take away the one thing that made the business model work: cheap, repeatable scale. Make the next campaign cost as much to build as the first, and you have done something no filter does.
This is why detection, by itself, never changes the attacker’s behavior. A detection tells you the money already moved. Disruption is what raises the cost of the next attempt, and the cost of the next attempt is the only number the adversary actually feels.
Social engineering is not a behavioral failure to be trained away. It is an adversarial business, and at the moment it is one of the best-run businesses in the threat landscape, because we let its costs fall while ours kept rising. You do not beat a business by asking its victims to be more careful. You beat it by attacking its margins. In 25-plus years, I have watched us win the technical-cost arms race and slowly lose the human-cost one. The encouraging part is that the lever has not changed. You win by making the cheap path expensive again.
What leaders should take away
This is the second piece in the series. The first argued that social engineering is a chain, not an event. This one argues that the chain exists because it pays. The next pieces walk that chain stage by stage, starting at Setup, where the attacker spends the little money the whole operation costs, and where, if you are watching, the economics are easiest to break.